Contact tracing and location data-based applications have recently become the subject of the heated debates in view of their widespread use in the fight against the COVID-19 pandemic.
In response to a large number of related privacy concerns, the European Data Protection Board (the EDPB) has issued Guidelines. One of the main issues the EDPB addresses is the principles for the proportionate use of location data. The EDPB has stressed that when using information about location, it is crucial to give preference to the processing of anonymised data rather than personal data.
Anonymisation or still pseudonymisation?
As fully anonymised records are not personal data, they fall out of the scope of the provisions of the GDPR and can be used without the necessity to observe the GDPR requirements. Therefore, it is very important to distinguish anonymised data from pseudonymised data, as the latter is fully protected under the GDPR. However, this is not easy, especially in the context of location data.
The fundamental distinguishing factor is that data may be considered anonymised if it is no longer possible to link it with an identified or identifiable individual “against any reasonable effort”. Thus, before using location data-based solutions, governments and businesses should carry out the “reasonability test”. The EDBP clarifies that the test should take into account not only objective aspects, such as time or technical methods, but also contextual elements such as “rarity of a phenomenon including population density, nature and volume of data”. Given that these can differ depending on the circumstances, the reasonability test should be made on a case-by-case basis.
The EDBP shed some light on how to carry out the reasonability test and evaluate the effectiveness of anonymisation. It confirmed the validity of the three criteria presented in the opinion of the Article 29 Working Party (the WP29). For anonymisation to be effective, the following must not be possible:
singling-out, i.e. isolating an individual from a larger group;
linkability, i.e. linking different records relating to the same individual;
inference, i.e. deriving—with a high probability—new information about an individual.
If despite the techniques used, the above criteria are not met, data should not be considered as anonymised.
Location data specifics
In practice, satisfying the discussed criteria regarding location data is very difficult. In the aforementioned opinion, the WP29 noted this difficulty and stressed that many studies have shown that location data considered to be anonymised may in fact not be. This is due to the uniqueness of individuals’ trajectories. The WP29 pointed out that many characteristics of data subjects may already be deduced from information about the places where a given data subject stayed at a certain time. The EDPB expressed similar concerns emphasising that individuals’ location traces by their very nature are “highly correlated and unique”, and for this reason they may be exposed to a risk of re-identification.
What approach should be taken when dealing with the anonymisation of location data? The chances of effective anonymisation are greater with a larger set of individuals. The EDPB also stressed that only datasets as a whole, rather than data on its own, can be anonymised. Hence, a single piece of data collected by tracing the mobility of an individual over a long period of time cannot, in the EDPB’s view, be fully anonymised; it should more be considered as pseudonymised. Importantly, according to the EDPB, this could still be the case when removing the tracking details or limiting data storage to information about places where an individual spends a great deal of time. Additionally, location data that is insufficiently aggregated should not be deemed anonymised.
Given the above criteria, it is undoubtedly a technological challenge to strike a balance between preserving dataset’s utility, e.g. in managing the COVID- 19 health crisis, and preventing de-anonymisation.
The robustness of anonymisation should be assessed continuously. Businesses and governments using data location solutions should consider the risk that datasets, which are currently considered anonymised, may become pseudonymised. The assessment should always regard state of the art of anonymisation techniques.